A sophisticated cybercrime campaign linked to hacker group SilverFox has targeted South African businesses using fake South African Revenue Service (SARS) notifications designed to trick employees into downloading malicious files.
Cybersecurity researchers say the attacks formed part of a broader international phishing operation that also targeted organisations in India, Indonesia and Russia between January and February 2026.
According to global cybersecurity company Kaspersky, the phishing emails were carefully designed to resemble official tax audit notices or legal warnings from tax authorities.
Many of the emails urged recipients to download an attachment allegedly containing a “list of tax violations” or legal documents linked to unpaid taxes.
Once opened, the files triggered a complex malware delivery chain capable of compromising entire corporate systems.
Researchers recorded more than 1 600 malicious emails during the campaign, with companies in the industrial, consulting, transport and trade sectors among the main targets.
Attackers used advanced malware and social engineering
Cybersecurity experts said social engineering played a central role in the operation.
The attackers relied heavily on urgency and fear, exploiting the authority associated with tax agencies to pressure employees into clicking links or downloading infected archives.
In one phishing attempt collected by SARS in February 2026, recipients were falsely accused of failing to settle tax debt over several years.
The email included what appeared to be a court summons and contained a button labelled “view legal document & case details here”, which downloaded a malicious 62.3KB file.
Anton Kargin, senior security researcher at Kaspersky, said the operation used multiple stages and various email domains to reduce the likelihood of detection.
Security analysts also warned that SilverFox has become increasingly sophisticated in its techniques.
Lionel Dartnall, SADC country manager for cybersecurity firm Check Point Software, said the group now operates using methods commonly associated with advanced persistent threat (APT) actors.
According to Dartnall, the hackers used a “bring your own vulnerable driver” tactic to disable security software running on infected systems, allowing malware to remain hidden for longer periods.
SilverFox expands operations beyond Asia
The campaign also revealed the use of a new Python-based backdoor known as “ABCDoor”.
Researchers said the malware was an upgraded version of the ValleyRat backdoor previously used extensively against organisations in Taiwan and Japan.
Once installed, the malware allowed attackers to remotely control infected devices, upload or steal files and interfere with security protections.
SilverFox was previously known mainly for targeting East Asian businesses in sectors such as telecommunications, energy, finance and logistics.
However, researchers say the group has increasingly shifted its attention to markets outside Asia, including South Africa.
Cybersecurity firms are now urging South African businesses to strengthen internal security practices by enforcing multifactor authentication, applying software patches quickly and implementing intrusion prevention systems.
Experts also stressed the importance of employee training and phishing awareness, warning that human error remains one of the biggest vulnerabilities in modern cyberattacks.
Security companies added that advanced email filtering systems capable of scanning password-protected archives could significantly reduce the risk of future attacks.
Source: Kaspersky, Check Point Software
